forked from mirrors/kore
Merge branch 'master' of mooncake.coders.se:/home/git/kore into acme
This commit is contained in:
commit
449fffca44
2
Makefile
2
Makefile
|
@ -29,7 +29,7 @@ CFLAGS+=-DPREFIX='"$(PREFIX)"' -fstack-protector-all
|
||||||
|
|
||||||
ifneq ("$(OPENSSL_PATH)", "")
|
ifneq ("$(OPENSSL_PATH)", "")
|
||||||
CFLAGS+=-I$(OPENSSL_PATH)/include
|
CFLAGS+=-I$(OPENSSL_PATH)/include
|
||||||
LDFLAGS=-rdynamic -L$(OPENSSL_PATH) -lssl -l$(KORE_CRYPTO)
|
LDFLAGS=-rdynamic -L$(OPENSSL_PATH)/lib -lssl -l$(KORE_CRYPTO)
|
||||||
else
|
else
|
||||||
LDFLAGS=-rdynamic -lssl -l$(KORE_CRYPTO)
|
LDFLAGS=-rdynamic -lssl -l$(KORE_CRYPTO)
|
||||||
endif
|
endif
|
||||||
|
|
|
@ -185,7 +185,8 @@ kore_connection_check_timeout(u_int64_t now)
|
||||||
if (c->proto == CONN_PROTO_MSG)
|
if (c->proto == CONN_PROTO_MSG)
|
||||||
continue;
|
continue;
|
||||||
#if !defined(KORE_NO_HTTP)
|
#if !defined(KORE_NO_HTTP)
|
||||||
if (c->state == CONN_STATE_ESTABLISHED) {
|
if (c->state == CONN_STATE_ESTABLISHED &&
|
||||||
|
c->proto == CONN_PROTO_HTTP) {
|
||||||
if (!http_check_timeout(c, now))
|
if (!http_check_timeout(c, now))
|
||||||
continue;
|
continue;
|
||||||
if (!TAILQ_EMPTY(&c->http_requests))
|
if (!TAILQ_EMPTY(&c->http_requests))
|
||||||
|
|
|
@ -71,7 +71,9 @@
|
||||||
/* The syscalls our keymgr is allowed to perform, only. */
|
/* The syscalls our keymgr is allowed to perform, only. */
|
||||||
static struct sock_filter filter_keymgr[] = {
|
static struct sock_filter filter_keymgr[] = {
|
||||||
/* Required to deal with private keys and certs. */
|
/* Required to deal with private keys and certs. */
|
||||||
|
#if defined(SYS_open)
|
||||||
KORE_SYSCALL_ALLOW(open),
|
KORE_SYSCALL_ALLOW(open),
|
||||||
|
#endif
|
||||||
KORE_SYSCALL_ALLOW(read),
|
KORE_SYSCALL_ALLOW(read),
|
||||||
KORE_SYSCALL_ALLOW(write),
|
KORE_SYSCALL_ALLOW(write),
|
||||||
KORE_SYSCALL_ALLOW(close),
|
KORE_SYSCALL_ALLOW(close),
|
||||||
|
@ -81,10 +83,14 @@ static struct sock_filter filter_keymgr[] = {
|
||||||
KORE_SYSCALL_ALLOW(openat),
|
KORE_SYSCALL_ALLOW(openat),
|
||||||
|
|
||||||
/* Net related. */
|
/* Net related. */
|
||||||
|
#if defined(SYS_poll)
|
||||||
KORE_SYSCALL_ALLOW(poll),
|
KORE_SYSCALL_ALLOW(poll),
|
||||||
|
#endif
|
||||||
KORE_SYSCALL_ALLOW(sendto),
|
KORE_SYSCALL_ALLOW(sendto),
|
||||||
KORE_SYSCALL_ALLOW(recvfrom),
|
KORE_SYSCALL_ALLOW(recvfrom),
|
||||||
|
#if defined(SYS_epoll_wait)
|
||||||
KORE_SYSCALL_ALLOW(epoll_wait),
|
KORE_SYSCALL_ALLOW(epoll_wait),
|
||||||
|
#endif
|
||||||
KORE_SYSCALL_ALLOW(epoll_pwait),
|
KORE_SYSCALL_ALLOW(epoll_pwait),
|
||||||
|
|
||||||
/* Process things. */
|
/* Process things. */
|
||||||
|
@ -92,7 +98,9 @@ static struct sock_filter filter_keymgr[] = {
|
||||||
KORE_SYSCALL_ALLOW(kill),
|
KORE_SYSCALL_ALLOW(kill),
|
||||||
KORE_SYSCALL_ALLOW(getuid),
|
KORE_SYSCALL_ALLOW(getuid),
|
||||||
KORE_SYSCALL_ALLOW(getpid),
|
KORE_SYSCALL_ALLOW(getpid),
|
||||||
|
#if defined(SYS_arch_prctl)
|
||||||
KORE_SYSCALL_ALLOW(arch_prctl),
|
KORE_SYSCALL_ALLOW(arch_prctl),
|
||||||
|
#endif
|
||||||
KORE_SYSCALL_ALLOW(exit_group),
|
KORE_SYSCALL_ALLOW(exit_group),
|
||||||
KORE_SYSCALL_ALLOW(sigaltstack),
|
KORE_SYSCALL_ALLOW(sigaltstack),
|
||||||
KORE_SYSCALL_ALLOW(rt_sigreturn),
|
KORE_SYSCALL_ALLOW(rt_sigreturn),
|
||||||
|
|
|
@ -19,7 +19,7 @@
|
||||||
#include <sys/epoll.h>
|
#include <sys/epoll.h>
|
||||||
#include <sys/ptrace.h>
|
#include <sys/ptrace.h>
|
||||||
#include <sys/prctl.h>
|
#include <sys/prctl.h>
|
||||||
#include <sys/reg.h>
|
#include <sys/user.h>
|
||||||
#include <sys/syscall.h>
|
#include <sys/syscall.h>
|
||||||
|
|
||||||
#include <linux/seccomp.h>
|
#include <linux/seccomp.h>
|
||||||
|
@ -50,21 +50,33 @@ static struct sock_filter filter_kore[] = {
|
||||||
KORE_SYSCALL_DENY(ioctl, EACCES),
|
KORE_SYSCALL_DENY(ioctl, EACCES),
|
||||||
|
|
||||||
/* File related. */
|
/* File related. */
|
||||||
|
#if defined(SYS_open)
|
||||||
KORE_SYSCALL_ALLOW(open),
|
KORE_SYSCALL_ALLOW(open),
|
||||||
|
#endif
|
||||||
KORE_SYSCALL_ALLOW(read),
|
KORE_SYSCALL_ALLOW(read),
|
||||||
|
#if defined(SYS_stat)
|
||||||
KORE_SYSCALL_ALLOW(stat),
|
KORE_SYSCALL_ALLOW(stat),
|
||||||
|
#endif
|
||||||
|
#if defined(SYS_lstat)
|
||||||
KORE_SYSCALL_ALLOW(lstat),
|
KORE_SYSCALL_ALLOW(lstat),
|
||||||
|
#endif
|
||||||
KORE_SYSCALL_ALLOW(fstat),
|
KORE_SYSCALL_ALLOW(fstat),
|
||||||
KORE_SYSCALL_ALLOW(write),
|
KORE_SYSCALL_ALLOW(write),
|
||||||
KORE_SYSCALL_ALLOW(fcntl),
|
KORE_SYSCALL_ALLOW(fcntl),
|
||||||
KORE_SYSCALL_ALLOW(lseek),
|
KORE_SYSCALL_ALLOW(lseek),
|
||||||
KORE_SYSCALL_ALLOW(close),
|
KORE_SYSCALL_ALLOW(close),
|
||||||
KORE_SYSCALL_ALLOW(openat),
|
KORE_SYSCALL_ALLOW(openat),
|
||||||
|
#if defined(SYS_access)
|
||||||
KORE_SYSCALL_ALLOW(access),
|
KORE_SYSCALL_ALLOW(access),
|
||||||
|
#endif
|
||||||
KORE_SYSCALL_ALLOW(writev),
|
KORE_SYSCALL_ALLOW(writev),
|
||||||
KORE_SYSCALL_ALLOW(getcwd),
|
KORE_SYSCALL_ALLOW(getcwd),
|
||||||
|
#if defined(SYS_unlink)
|
||||||
KORE_SYSCALL_ALLOW(unlink),
|
KORE_SYSCALL_ALLOW(unlink),
|
||||||
|
#endif
|
||||||
|
#if defined(SYS_readlink)
|
||||||
KORE_SYSCALL_ALLOW(readlink),
|
KORE_SYSCALL_ALLOW(readlink),
|
||||||
|
#endif
|
||||||
|
|
||||||
/* Process related. */
|
/* Process related. */
|
||||||
KORE_SYSCALL_ALLOW(exit),
|
KORE_SYSCALL_ALLOW(exit),
|
||||||
|
@ -88,14 +100,18 @@ static struct sock_filter filter_kore[] = {
|
||||||
KORE_SYSCALL_ALLOW(mprotect),
|
KORE_SYSCALL_ALLOW(mprotect),
|
||||||
|
|
||||||
/* Net related. */
|
/* Net related. */
|
||||||
|
#if defined(SYS_poll)
|
||||||
KORE_SYSCALL_ALLOW(poll),
|
KORE_SYSCALL_ALLOW(poll),
|
||||||
|
#endif
|
||||||
KORE_SYSCALL_ALLOW(sendto),
|
KORE_SYSCALL_ALLOW(sendto),
|
||||||
KORE_SYSCALL_ALLOW(accept),
|
KORE_SYSCALL_ALLOW(accept),
|
||||||
KORE_SYSCALL_ALLOW(sendfile),
|
KORE_SYSCALL_ALLOW(sendfile),
|
||||||
KORE_SYSCALL_ALLOW(recvfrom),
|
KORE_SYSCALL_ALLOW(recvfrom),
|
||||||
KORE_SYSCALL_ALLOW(epoll_ctl),
|
KORE_SYSCALL_ALLOW(epoll_ctl),
|
||||||
KORE_SYSCALL_ALLOW(setsockopt),
|
KORE_SYSCALL_ALLOW(setsockopt),
|
||||||
|
#if defined(SYS_epoll_wait)
|
||||||
KORE_SYSCALL_ALLOW(epoll_wait),
|
KORE_SYSCALL_ALLOW(epoll_wait),
|
||||||
|
#endif
|
||||||
KORE_SYSCALL_ALLOW(epoll_pwait),
|
KORE_SYSCALL_ALLOW(epoll_pwait),
|
||||||
|
|
||||||
/* Signal related. */
|
/* Signal related. */
|
||||||
|
@ -291,7 +307,7 @@ kore_seccomp_traceme(void)
|
||||||
return;
|
return;
|
||||||
|
|
||||||
if (ptrace(PTRACE_TRACEME, 0, NULL, NULL) == -1)
|
if (ptrace(PTRACE_TRACEME, 0, NULL, NULL) == -1)
|
||||||
fatalx("ptrace. %s", errno_s);
|
fatalx("ptrace: %s", errno_s);
|
||||||
if (kill(worker->pid, SIGSTOP) == -1)
|
if (kill(worker->pid, SIGSTOP) == -1)
|
||||||
fatalx("kill: %s", errno_s);
|
fatalx("kill: %s", errno_s);
|
||||||
}
|
}
|
||||||
|
@ -406,12 +422,26 @@ kore_seccomp_syscall_flag(const char *name, int action, int arg, int value)
|
||||||
static void
|
static void
|
||||||
seccomp_register_violation(struct kore_worker *kw)
|
seccomp_register_violation(struct kore_worker *kw)
|
||||||
{
|
{
|
||||||
|
struct iovec iov;
|
||||||
|
struct user_regs_struct regs;
|
||||||
long sysnr;
|
long sysnr;
|
||||||
|
|
||||||
if ((sysnr = ptrace(PTRACE_PEEKUSER, kw->pid,
|
iov.iov_base = ®s;
|
||||||
sizeof(long) * ORIG_RAX, NULL)) == -1)
|
iov.iov_len = sizeof(regs);
|
||||||
|
|
||||||
|
if (ptrace(PTRACE_GETREGSET, kw->pid, 1, &iov) == -1)
|
||||||
fatal("ptrace: %s", errno_s);
|
fatal("ptrace: %s", errno_s);
|
||||||
|
|
||||||
|
#if SECCOMP_AUDIT_ARCH == AUDIT_ARCH_X86_64
|
||||||
|
sysnr = regs.orig_rax;
|
||||||
|
#elif SECCOMP_AUDIT_ARCH == AUDIT_ARCH_I386
|
||||||
|
sysnr = regs.orig_ax;
|
||||||
|
#elif SECCOMP_AUDIT_ARCH == AUDIT_ARCH_AARCH64
|
||||||
|
sysnr = regs.regs[8];
|
||||||
|
#else
|
||||||
|
#error "platform not yet supported"
|
||||||
|
#endif
|
||||||
|
|
||||||
kore_log(LOG_INFO, "seccomp violation, worker=%d, syscall=%s",
|
kore_log(LOG_INFO, "seccomp violation, worker=%d, syscall=%s",
|
||||||
kw->id, kore_seccomp_syscall_name(sysnr));
|
kw->id, kore_seccomp_syscall_name(sysnr));
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue